In this article:
From the bottom left aggregate menu, select the up chevron (1) and create a new CSF Full Assessment (2).
Prior to starting work on an assessment or performing a risk quantification, Axio recommends adding existing or estimated insurance data to help modeling scenarios. Refer to Adding Insurance Data.
Once the new assessment has been created the details need to be entered. The first question in the NIST CSF Full assessment is in the IDENTIFY (ID) section, and the category ID.AM – Asset Management.
The NIST CSF Assessment has five main functions (1) provided as tabs along the top of the assessment page. Those five functions are navigational also via the left-hand assessment menu, which provides entry points to the assessment categories (2) under each function.
|Function||Category||Examples of Outcomes|
|Identify||The Identify Function assists in developing an organizational understanding of managing cybersecurity risk to systems, people, assets, data, and capabilities. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.|
|Asset Management||Identifying physical and software assets within the organization to establish the basis of an Asset Management program.|
|Business Environment||Identifying the Business Environment the organization supports, including the organization’s role in the supply chain and the organizations place in the critical infrastructure sector.|
|Governance||Identifying cybersecurity policies established within the organization to define the Governance program as well as identifying legal and regulatory requirements regarding the organization’s cybersecurity capabilities.|
|Risk Assessment||Identifying asset vulnerabilities, threats to internal and external organizational resources, and risk response activities as a basis for the organization’s Risk Assessment.|
|Risk Management Strategy||Identifying a Risk Management Strategy for the organization, including establishing risk tolerances.|
|Supply Chain Risk Management||Identifying a Supply Chain Risk Management strategy, including priorities, constraints, risk tolerances, and assumptions used to support risk decisions associated with managing supply chain risks.|
|Protect||The Protect Function outlines appropriate safeguards to ensure the delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.|
|Identity Management, Auth and Access Control||Protections for Identity Management and Access Control within the organization, including physical and remote access.|
|Awareness and Training||Empowering staff within the organization through Awareness and Training, including role-based and privileged user training.|
|Data Security||Establishing Data Security protection consistent with the organization’s risk strategy to protect information confidentiality, integrity, and availability.|
|Info Protection Processes and Procedures||Implementing Information Protection Processes and Procedures to maintain and manage the protection of information systems and assets.|
|Maintenance||Protecting organizational resources through Maintenance, including remote maintenance activities.|
|Protective Technologies||Managing Protective Technology to ensure the security and resilience of systems and assists are consistent with organizational policies, procedures, and agreements.|
|Detect||The Detect Function defines the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables the timely discovery of cybersecurity events.|
|Anomalies and Events||Ensuring Anomalies and Events are detected and their potential impact is understood.|
|Security Continuous Monitoring||Implementing Security Continuous Monitoring capabilities to monitor cybersecurity events and verify the effectiveness of protective measures, including network and physical activities.|
|Detection Processes||Maintaining Detection Processes to provide awareness of anomalous events.|
|Respond||The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.|
|Response Planning||Ensuring Response Planning process are executed during and after an incident.|
|Communications||Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate.|
|Analysis||Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents.|
|Mitigation||Mitigation activities are performed to prevent expansion of an event and to resolve the incident.|
|Improvements||The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities.|
|Recover||The Recover Function identifies appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. The Recover Function supports timely recovery to normal operations to reduce the impact of a cybersecurity incident.|
|Recovery Planning||Ensuring the organization implements Recovery Planning processes and procedures to restore systems and/or assets affected by cybersecurity incidents.|
|Improvements||Implementing Improvements based on lessons learned and reviews of existing strategies.|
|Communications||Internal and external Communications are coordinated during and following the recovery from a cybersecurity incident.|
The response options are the buttons on the main assessment page that, depending on assessment are labled as Incomplete, Initial, Managed, Defined, Quantitatively Managed, Optimizing, Not Implemented, Partially Implemented, Largely Implemented, Fully Implemented, etc.
To respond with either of those options, select the button based on the correct state for your response.
Hovering over the responses displays a explanation of the different response levels available.
To the right side of an assessment information is provided in 4 tabbed categories, Activity, Evidence, Help, and Advice.
Provides information about latest edits/updates to the assessment section, lists action items and contains potential notes.
Under Action items, add any action items relevant to the control or subcategory, such as “Ensure Asset Management Inventory is up to date and add regular cadence to review”. You can assign the Action Item to any user who has access to the assessment and set a date for when the action item should be completed.
For example, for notes, you can type any notes that may be relevant to the response such as “ACME company has an Asset Management program in place. However it is not regularly reviewed for accuracy and completeness. To save any notes, click Save prior to navigating to another response.
Axio360 can be integrated with ticketing systems, such as ServiceNow’s Service Manager.
On this tab, any supporting evidence can be linked to the assessment. Add any evidence related to the response by utilizing Links to Supporting Evidence. You can add the name of your document and link location. Click Save prior navigating to another response.
Axio does not store any evidence documents within the Axio360 platform. But external links are supported with various file management platforms, including Microsoft SharePoint, Box.com and Dropbox.
On the Help tab, supporting references are provided. Those are links and references to regulations pertaining to the assessment type. The help is in context to the specific control selected.
On the Advise tab, users can ask an Axio Expert a question. The Axio Expert will be notified and respond as soon as possible. The question and answer will be available to the entire Axio community.
Next to your user avatar find Profile, switch from Current to Target.
Setting the next actions as the targets to achieve over time. To set questions as targets, toggle via “click+shift” when selecting a question.
- Once you are toggled to the Target, select the level you want to set your Target Profile to. Axio recommends setting a target to a level that is attainable within the next year. You can also set specific target dates.
Change the Profile back to Current to see targets plus the dates that have been modified for each of the questions.
After an assessment is complete, you may create a report.
- On the bottom left, click Full Report.
- At the prompt, either select Display notes inline or in an appendix at the end.
Click on Generate Report.
Generating a report might take a moment, depending on the data entered.
- When the report is ready, generate a PDF version of the NIST CSF, Axio generated report. You receive a screen notification that the Report generation is complete.
- Select View to view the report.